Wednesday, 31 July 2013

An interesting enforcement notice has been slapped into the
hands of the Chief Constables of the Leicestershire, Derbyshire and
Nottinghamshire Police Forces. Usual reason – sloppy data protection handling standards,
bordering on the farcical. Here we go again – unencrypted laptops were stolen,
containing (among other things) prison records and other details relating to approximately
4,500 offenders from across the forces.

The subsequent ICO investigation found that an East Midlands
Collaboration Unit had been set up for mutual assistance purposes, although it
wasn’t clear why the information on the laptops really needed to be pooled. No-one had bothered to carry out a risk assessment to assess what information
needed to be pooled to ensure the Unit met its objectives, nor how such information
ought to be appropriately protected.

I could go on but I won’t . And I guess that all over the
country, some of the more enlightened members of the data protection community
are thinking “there but for the grace of God go I”. This unit can’t have been
the only one to have been set up, no doubt with the best intentions and with no desire
to operate recklessly, but now something
has gone wrong,someone will get a good
kicking for having allowed the reputation of the police to get another
hammering.

What stands out to me is just why, in this case, the ICO
decided that an enforcement notice was more appropriate than a Civil Monetary Penalty.
After all, the theft of the laptops occurred in August 2010 – some 4 months
after the ICO had the power to award Civil Monetary Penalties. So how can the
police not be fined when Health Trusts have been fined when they lost similar
amounts (and often much less) sensitive personal data?

Is the ICO appreciating the futility of fining public sector
organisations? Or is it just concerned not to damage the close working
relationships that must be maintained with the police forces as it works with
them and the Crown Prosecution Service to take effective action against the criminals
who commit data protection (and similar) offences?
Or is it for another reason?

We may get a better idea of the current attitude to fining
public sector bodies when the ICO announces what action it will have taken
against the Ministry of Justice following the recent admission that a network server
containing 400,000 confidential court files – including the personal details of
victims and witnesses, was apparently stolen by a subcontractor in January 2012
during the decommissioning of Salford Magistrate’s Court. No-one noticed the
theft for several months – until the server was offered for sale on eBay.

Will the MoJ be required to pay a Civil Monetary Penalty for
this awful incident? Or will the Minister of Justice simply be served with an Enforcement
Notice that requires him to ensure his Department follows the laws he is responsible for drafting more carefully? And how will this affect the quality of the working relationship between
the ICO and the MoJ?

If they want to know more about risk management, protecting data
stored on their computer (in terms of what the Government can do and what users
can do to protect themselves), data on the wire, information stored by third
parties, foreign terrorism and intelligence investigations, and defensive
technologies, then this is the website to browse.

For those who can’t wait to get to the payoff, here it is:

If you don’t keep it, they can’t get it – so destroy
unnecessary records

If you do keep it, protect it with file encryption
and strong passwords.

Encrypt your internet communications to prevent
wiretapping

Use
anonymising tools like Tor when you’re online.

Always delete your providers’ copies of emails
and voicemails as soon as you no longer need them.

Tuesday, 23 July 2013

I’m thinking of running a
Regulation sweepstake – and the winner will be the first person who correctly
identifies the first European Commissioner to predict in public that, because
of the range of disagreements over its content, the Data Protection Regulation
is not going to be agreed before the June 2014 deadline.If just a few of the many thousands
of data protection aficionados contact me with, say, a ten Euro stake, some
lucky person could soon be in possession of an awful lot of money. And for
what? Just for nominating the bravest of the brave – ie the person who is prepared
to put their head above the parapet and be the first to confirm what is surely
obvious to everyone.

But then again, who would do
that? Who would presume to step out of line and confirm that the legislative
process that needs to be undertaken can’t be trimmed to suit the needs of the
EuroParliamentary calendar?

That would almost be admitting defeat.

That would be akin to admitting
that the proposal to introduce an absurdly complicated Regulation (together with
a Directive on various data protection issues affecting law enforcement) was
not the brightest of bright ideas.Or admitting
that the concept of legislating without knowing the financial effects of the
proposals was, perhaps, a little on the silly side. Or admitting that an
emphasis on processes, rather than outcomes, to encourage innovation, was
perverse.

Still, in this glorious summer
season, when politicians (and some policymakers) are taking a much deserved
break, now is the time to let our money start talking. Those of us who have
been on this policymaking circuit for some time know what the outcome will be.
A glorious own goal. Proof that the privacy community is incapable of
collectively knocking its head together and hammering out a shared
understanding of what it is that matters to us all, in this data rich world.

Do we have no collective vision?

Evidently not.The lack of engagement between some elements of
the privacy community is quite staggering - and I blame the cultural constraints that make
it impossible for these sides to embrace ideas deeply held by others.On the policymaking side, I see so little
leadership from the European Parliament. A lot of posturing, yes, but no real leadership.
Who are the key players and who are the clowns? And how is it that so many
clowns generate so much media coverage? Just because they are so willing to speak
at conferences etc doesn’t make them any less a clown.

Perhaps, in a future (and more
Eurosceptic) European Parliament, there will be a greater emphasis on ensuring
that general policies can be tailored to meet the cultural needs of different
communities. There may be fewer “fundamental” rights- and privacy rights that were suitable in a
pre internet age will eventually be tailored to the realities of data rich
societies.

And perhaps, in future, there
will be a focus on what can be achieved by a data rich society, rather than
just on the constraints that policymakers wish to place around those few, those
very few, players whose creations will transform our lives very much for the
better.If I were incubating a creator,
I really wouldn’t encourage them to set up their operations in a regulatory environment
that was as hostile as that which the European Commission is currently
proposing.

But enough of my rant. Today we ought to be thinking of what we can do that will bring us all joy, rather than what rules can be put in place to constrain us.

Greetings to the latest member of the Royal Family. I only hope that he grows up in a world where policymakers do what they can to bring people joy, rather than set petty rules to constrain people from creating stuff they might find really useful.

Monday, 22 July 2013

I doubt that David Davies MP or many of our chums at the
privacy campaigning groups will be too keen to highlight a huge problem recently
spotted by Sir Paul Kennedy, the former Interception of Communications
Commissioner.

David Davies is well known for advocating that the
procedures about who should be capable of obtaining communications data should invariably
involve a judicial warrant, rather than a the signature of a senior law
enforcement official, supported by an
experienced SPoC (Single Point of Contact) officer. In his (and their) view, a
judge will always be better placed to offer a far better degree of impartial
oversight than “the man at the desk next door.”

Accordingly, he was pleased to support a provision in the
Protection of Freedoms Act 2012 which meant that since last November, Local
Authorities have had to obtain judicial approval before they could acquire any
communications data.

But in his Annual Report, published last week, Sir Paul Kennedy
has commented on the consequences – which is a 63% reduction in the number of applications
by local authorities in the first 4 months of the legislation being enacted. In
his words:“ I do not believe that local authorities have stopped requesting
the data because they no longer need it, but I suspectthe reason they have stopped is due to the
overly bureaucratic and costly process now in place.”

Sir Paul continued: “Local authorities have reported experiencing
lengthy time delays in just obtaining an appointment with a magistrate (in the
worst case 6 weeks). Other local authorities have reported that the magistrates
were totally unaware of the legislation and as a result they had to provide them
with advice and guidance. This is worrying, particularly considering the Home
Office gave a commitment to properly train the magistrates to carry out this role.
In one case that has beenreported to my
office, the magistrate did not ask to see the application form which set out
thenecessity and proportionality
justifications, or the DPs approval. The application was approved on the basis
of a verbal briefing from the applicant and DP. It is extremely concerning that
the paperwork in this case was not examined to check that it had been properly
authorised.

Furthermore, in this case the local authority failed to
serve the judicial application / order form on the CSP with the associated
Section 22(4) Notice, but the CSP disclosed the data without question. There
was no evidence that the acquisition of the data has been lawfully approved in the
absence of the judicial application / order form and therefore it is worrying
that the CSP disclosed the data in this case.

I was informed by the Home Office that Her Majesty’s Court
Service (HMCS), which falls under the remit of the Ministry of Justice,
concluded that it would not be possible to manage the judicial process
electronically. This is regrettable and has meant that the judicial part of the
process has had to be dealt with manually outside of the fully electronic,
auditable application system that is in place at the National Anti-Fraud
Network (NAFN). This significantly increases the administrative burden. There
is also the possibility of more errors occurring as the communications
addresses have to be double keyed. Furthermore I have also been informed by the
Home Office that HMCS did not think that it would be possible for the judicial
part of the process to be managed by the NAFNSPoCs attending their local courts in the Tameside and Brighton areas,
as it would place toomuch burden on
those courts. As a result each application gets bounced back and forth between
the applicant in the local authority, the SPoC at NAFN, the DP in the local
authority and the magistrate in the local court, which increases bureaucracy
and time delays. Often the applicant is not best placed to advise the
magistrate on the communications data process or the conduct that will be
undertaken by the SPoC to acquire the data. In other cases, local authorities have
actually reported that the courts have tried to charge them directly for
attending the court.The figures that have been shared with my office to date
show that no requests have yet been refused by a magistrate.

Taking into account this evidence I question how much value
judicial approvals have added to the process. I have long been a proponent of
the SPOC system and this ensures there is a robust safeguard in relation to the
acquisition and disclosure of communications data. The Joint Committee
conducting the pre-legislative scrutiny of the draft Communications Data Bill concluded
that “in the case of local authorities it should be possible for magistrates to
cope with the volume of work involved in approving applications for authorisation.
But we believe that if our recommendations are accepted and incorporated into
the Bill, they will provide a stronger authorisation test than magistrates can.
Although approval by magistrates of local authority authorisations is a very recent
change in the law, we think that if our recommendations are implemented it will
be unnecessary to continue with different arrangements applying only to local
authorities.” I concur with this sentiment and am very concerned that there is
a serious danger that that the types of crime that cause real harm to the
public (such as rogue traders and illegal money lenders) will not be
investigated properly due to the difficulties with the judicial approval
process.”

So the next time David Davies stands up in Parliament to
lament the awful fate of those many victims of crime who are unlikely to receive
“justice”, I do hope he admits that on this matter he might just have got it
wrong, and that SPoC officers can do a better job than magistrates in ensuring investigators
access the evidence they need to convict those who deserve to go down.

Wednesday, 17 July 2013

As the temperature soars
this summer, the usual suspects are making the usual noises about the way law
enforcement bodies acquire private communications data.

On the one hand,
something must be done about the current RIPA regime, as the legislation really
does need updating to make it more easily cover today’s communications technologies.
Thirteen years is a very long time in terms
of technological innovation, and the legislation, passed by Parliament back in
2000, was rather technology specific.

But on the other hand, there
is some disagreement over what should replace it. Parliamentarians who have had
the usual briefings will be aware of a range of measures that could be introduced
relatively quickly to improve the way the current process operates, without
needing to concern themselves too much about re defining the range of categories
of communications information that ought to fall within the remit of RIPA.

Many pressure groups are
concerned that a revised RIPA will give Parliament the opportunity to extend
the range to data types to cover many not currently on the radar. However, such
a review might also give Parliamentarians the opportunity to narrow the range
of data types that are currently available. A couple of pressure groups just appear
want to kill RIPA completely, without offering suggestions as to what ought
replace it.

I expect the pleas for
further investigations into the rules around accessing private communications
will continue, especially since Parliament’s Intelligence and Security
Committee has just confirmed that it was unable to find any evidence of rule
breaking when reviewing the way GCHQ acted in seeking information from the US
Prism programme.

I’m sure that some will
have deep suspicions of an establishment cover-up – and will disregard the view
that, actually, the Brits involved in such operations do behave frightfully
well.

The cynic in me suggests
that “issues” like this are just what special interest groups within the
privacy community need anyway – as it’s a great way to engage with supporters and fly the flag for personal freedoms, etc. Especially when the
foe, aka the Home Office, does not appear to respond to the critics. Anyway, in
a crisis, it’s more likely that said supporters will donate much needed
campaign funds. So I expect many commentators to call this a “crisis” for some
time to come.

But many campaigners do
hold genuine concerns about the adequacy of the existing safeguards, and refuse
to accept that a lack of disciplinary action by the Surveillance Commissioner
and the Information Commissioner and the Interception of Communications
Commissioner is purely due to a lack of poor behaviour by law enforcers.

So, where ought we go
from here?

Well, I doubt that a
review will really change the opinion of those who have their hearts and minds
set against the State needing to access private information for law enforcement
purposes. Although relatively few in number, they are capable of creating a significant
media splash.

Perhaps the Home Office
will counter with more examples of occasions when official access to communications
data was both necessary and helpful. Perhaps more opinion formers will publish
articles supporting the concept of state intrusion into people’s private lives.
Perhaps another wholly unwelcome terrorist spectacular (which could have been prevented
had our boys in blue acted faster) will change the public debate.

Or perhaps new voices
will emerge, such as those of the current Interception of Communications
Commissioner, engaging more frequently on public platforms to convince the
doubters of the robustness of his oversight powers. Perhaps the public need to
be assured (if they are that bothered in the first place) by the sound of new
players on the scene.

I do hope some new voices
will emerge.

Just as I hope that Parliament
will shortly do something rather than do nothing, to address the communications
capability “gap” that was evidently so important when the Home Office laid its
case for action before Parliament last year.

If there really is a significant
gap, then when is it going to be filled?

Monday, 15 July 2013

Some chump has come up with a brilliant wheeze
to take our minds off the fact that, even after all these years, there is no
universally agreeable view on the meaning of “personal data”. When does an item
of information become “personal data”, and thus subject to the full rigour of
the Data Protection Act? Or the Data Protection Directive? Or, even, the proposed
General Data Protection Regulation? For, if it is not “personal data”, then the
Act / Directive / Regulation does not apply, and a business can treat it just
as it would treat any other type of business information.

The wheeze is brilliant in its
simplicity – rather than worry about the definition of “personal data”, let’s
create another data category, and commence earnest discussions on what elements
of data protection legislation be applied to that, instead. Where the connection with an identified (or identifiable) person is weak or slight, the rules could be relaxed.

So, the high priests of data protection
have been convening to determine whether different laws ought to apply to a
different type of information. To make this different type as obscure as
possible, it’s been given the name “pseudonymous”. Aficionados of
data protection adore this sort of stuff – they just love dealing with terms
that are hard to pronounce, spell and define.

A recent meeting of said aficionados in Central London considered
whether a definition of pseudonymous
data should be included in the proposed Regulation. And, if so, what it should include.

It goes without saying that after earnest debate, consensus was
there none. Not only is it a difficult concept to grasp, any definition really
needs to be considered in the context of the entire instrument – which naturally
did not currently exist, nor were betting men prepared to countenance might
exist in the foreseeable future.

I don’t think that anyone was prepared to rubbish the concept of
pseudonomisation – after all, anything that makes it easier for an individual
to protect their privacy should be welcomed. But do such terms really need to
be mentioned in legislation? And if they are mentioned, what incentives are on
offer to encourage data controllers to adopt pseudonymous techniques?

The discussion continued. But what should happen when data can be
readily depesudonymised? (yawn)

And the questions kept coming. Should it be possible to deny individuals their subjectaccess rights would continue to apply to pseudonymous
data? Or apply data portability or the ‘right to be forgotten’ to pseudonymous
data? (deeper yawn)

I’m sure that all this stuff needs to be debated, earnestly and
with great rigour. But not on a hot sunny day.

Even our chums at the ICO have revised their views on whether to
support a definition of pseudonymous data. They were keener on the concept than
they are today. Given the difficulties in defining the difference between personal
data and pseudonymous data, there’s not a lot of point referring to it in the
proposed Regulation. Hurrah. It’s always pleasing to note when the ICO supports
a risk-based approach to issues such as these.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.